Researchers Search Web While Hiding What They’re Searching For
Researchers introduce 'Splinter,' a system to quickly search databases without showing the server what's being searched for
When you search for something on the internet, it’s always been a given that your request will be recorded and stored — whether it’s a stock price, medical symptoms, or the cheapest air fare to Hawaii.
But there might be a better way — a way to quickly search large data without identifying a user’s query — a group of MIT researchers says.
Normally, in order to perform a basic search, you need to communicate with a server, which in turn needs to know what you’re looking for in order to find the appropriate results in its database. The downside is that each search you make reveals a huge amount of information about you, and that data is frequently mined to build user profiles and target ads around some of your most private interests, thoughts, and activities.
In a paper due to be presented at the 14th USENIX Symposium on Networked Systems Design and Implementation, the researchers introduce a system called Splinter, which they say would allow completely private searches.
Essentially, the system hides the user’s queries by breaking them up into encrypted pieces, each processed by a separate server. It then uses a technique called “function secret sharing,” which performs a mathematical function on every record in the databases and returns a matching result to the user. That result can’t be understood by the server — instead, it can only be read by the user once all the pieces are re-assembled on their local device.
“The canonical example behind this line of work was public patent databases. When people were searching for certain kinds of patents, they gave away the research they were working on,” said Frank Wang, an MIT graduate student and the paper’s lead author, in a press statement sent to Vocativ. “Another example is maps: When you’re searching for where you are and where you’re going to go, it reveals a wealth of information about you.”
Wang says the paper comes amid increasing demand for private web searches. He notes the popularity of search engines like DuckDuckGo, which gets search results from other sites like Google but claims it doesn’t store any information about users’ queries. Companies like Least Authority and SpiderOak offer something similar for cloud storage, using “zero knowledge” systems that ensure only the user can read their stored data.
“We see a shift toward people wanting private queries,” Wang said. “We can imagine a model in which other services scrape a travel site, and maybe they volunteer to host the information for you, or maybe you subscribe to them. Or maybe in the future, travel sites realize that these services are becoming more popular and they volunteer the data. But right now, we’re trusting that third-party sites have adequate protections, and with Splinter we try to make that more of a guarantee.”
The paper’s authors concede that it might be a while before something like Splinter becomes implemented into real-world services. But the researchers say that their function secret sharing technique greatly improves on previous experiments with hidden database queries, allowing searches to be run up to ten times faster.
“There’s always this gap between something being proposed on paper and actually implementing it,” said Wang. “We do a lot of optimization to get it to work, and we have to do a lot of tricks to get it to support actual database queries.”